.

Exploit the User with SET – The Social Engineering Toolkit

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Mar 15, 2010 5:33 pm

Exploit the User with SET – The Social Engineering Toolkit

Another Tool Post, full link with videos at the bottom of quote:

I have to say… SET is just plain awesome. TheSocial Engineering Toolkit (SET) is a set of python scripts created by David Kennedy (aka rel1k) to automate many client side penetration testing vectors. In conjunction with Social-Engineer.org, which is also a top-notch resource, it provides for some of best extensibility in this type testing. A couple of weekends ago Dave released 0.4 of SET at Shmoocon. I’ll be honest, i hadn’t used it much until now but, after a good bit of research I now appreciate its full glory.

SET’s Python scripts allow you to easily create phishing email attacks, create clones of any given URLs you provide it in a web based attack, and then on that page exploit the users machine using a java applet or browser exploits. It can create Malicious PDFs as well. In 0.4 there are many improvements:

- An improved java applet that is multi-platform and deals well with any permission type
- 0.4 adds Metasploit browser exploits in addition to the java applet
- Can launch the “Aurora” style attacks with Metasploit
- Improved cloned sites and redirect to legit site.
- Integrates with Backtrack’s sendmail or gmail addresses
- Spear phishing with input of email lists improved

The SET is highly tied to the Backtrack and Social-Engineer.org communities. Training authors and contributors to these sites are well recognized penetration testers with a high level of interest on client-side and social engineering based attack vectors. You’ll recognize names like Paul Hand, Chris Nickerson, Mati Aharoni, Chris Hadnagy, of course Dave Kennedy, etc, all working on these projects. In addition a whole section of the free Metasploit Unleashed training is dedicated to SET and they have an excellent setup and usage article here. Also Social-Engineer.org has anexcellent writeup as well.

SET has a large fanbase with many useful videos on usage and customized scopes. The First video is actually the new SET 0.4 updates presentation and a recording of all the Firetalks (shorter than regular presentations) at Shmoocon, recorded by Adrian Crenshaw (Irongeek).

Check it and some of the other vids below =)


Videos Here:

http://www.securityaegis.com/exploit-the-user-with-set-the-social-engineering-toolkit/#more-979
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Mar 15, 2010 6:06 pm

Re: Exploit the User with SET – The Social Engineering Toolkit

Very cool app.  I am going to have to give a try.  Thanks for sharing!
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1695

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Mar 15, 2010 7:34 pm

Re: Exploit the User with SET – The Social Engineering Toolkit

David and company release yet another great tool.  Went to look him up today (he and I were talking last year about some possibilities while he was at SecureState,) and I didn't realize he left for Diebold.  I need to get in touch with him, again, and congratulate him.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1253

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Mar 16, 2010 3:45 am

Re: Exploit the User with SET – The Social Engineering Toolkit

SET is really great, already used it a few times. Haven't seen the Shmoocon FireTalks: Both Nights video, thanks for posting.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Tue Mar 16, 2010 4:55 am

Re: Exploit the User with SET – The Social Engineering Toolkit

sounds good! cant wait to get an opportunity to try this! working on your social engineering skills improves not only the success of the attack, but gives you more advantage in "real life" too!
CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Mar 16, 2010 2:19 pm

Re: Exploit the User with SET – The Social Engineering Toolkit

I've been playing around with this tool, and it definitely saves time.  It has a nice interface with msf, and even ettercap for DNS / ARP poisoning.  The only issue I am having so far is that some of the msf paths to exploits in SET seem to be incorrect. 
~~~~~~~~~~~~~~
Ketchup
<<

pizza1337

Full Member
Full Member

Posts: 156

Joined: Mon Mar 08, 2010 5:29 pm

Post Tue Mar 16, 2010 2:32 pm

Re: Exploit the User with SET – The Social Engineering Toolkit

I like this tool, I helped someone out using it(reverse vnc payload).  ;D
Knowledge Resource is Power.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1695

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Mar 16, 2010 2:41 pm

Re: Exploit the User with SET – The Social Engineering Toolkit

pizza1337 wrote:I like this tool, I helped someone out using it(reverse vnc payload).  ;D


SET?  (or msf?)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

pizza1337

Full Member
Full Member

Posts: 156

Joined: Mon Mar 08, 2010 5:29 pm

Post Tue Mar 16, 2010 3:10 pm

Re: Exploit the User with SET – The Social Engineering Toolkit

hayabusa wrote:
pizza1337 wrote:I like this tool, I helped someone out using it(reverse vnc payload).  ;D


SET?  (or msf?)


SET

I just tell the person to go to my IP, and all they have to do after that is run(java prompt) and i can help or do whatever..
Knowledge Resource is Power.
<<

pizza1337

Full Member
Full Member

Posts: 156

Joined: Mon Mar 08, 2010 5:29 pm

Post Thu Apr 01, 2010 1:58 pm

Re: Exploit the User with SET – The Social Engineering Toolkit

http://www.secmaniac.com/april-2010/omf ... -5-teaser/

you guys have to see it!
its awesome.
Knowledge Resource is Power.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Apr 01, 2010 4:03 pm

Re: Exploit the User with SET – The Social Engineering Toolkit

Looks like there a few more automation features coming in the next release.  Very nice!  A few less tasks I will have to do manually.
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1695

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Apr 01, 2010 4:07 pm

Re: Exploit the User with SET – The Social Engineering Toolkit

No kidding.  David's got SET rolling full-steam ahead, and it's nice to see.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1253

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Apr 02, 2010 11:58 am

Re: Exploit the User with SET – The Social Engineering Toolkit

Indeed, very nice. :)

Return to Tools

Who is online

Users browsing this forum: No registered users and 3 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software